Hundreds of DNS queries



  • I did a packet capture today on our main Wan link thru Time Warner.  There are hundreds of DNS requests for www.jjhyouxi.com

    Can someone tell me if I am correct:

    1.  Since these are UPD packets and no rule allows passage, they are not answered by pfsense.
    2.  I can only see them because they arrive on the interface.
    3.  There is no way to block them.

    Are my assumptions correct or is there something sinister going on here?

    Thank you.

    11:54:12.794603 IP (tos 0x0, ttl 236, id 24268, offset 0, flags [DF], proto UDP (17), length 62)
        58.20.219.178.27373 > xxx.xxx.xxx.150.53: 24268+ A? www.jjhyouxi.com. (34)
    11:54:12.852019 IP (tos 0x0, ttl 237, id 49916, offset 0, flags [DF], proto UDP (17), length 62)
        8.130.252.195.3017 > xxx.xxx.xxx.150.53: 49916+ A? www.jjhyouxi.com. (34)
    11:54:12.902375 IP (tos 0x0, ttl 234, id 17189, offset 0, flags [DF], proto UDP (17), length 62)
        58.20.201.243.6888 > xxx.xxx.xxx.150.53: 17189+ A? www.jjhyouxi.com. (34)
    11:54:12.995488 IP (tos 0x20, ttl 239, id 46034, offset 0, flags [DF], proto UDP (17), length 62)
        2.61.210.180.54574 > xxx.xxx.xxx.150.53: 46034+ A? www.jjhyouxi.com. (34)
    11:54:12.995787 IP (tos 0x20, ttl 239, id 38203, offset 0, flags [DF], proto UDP (17), length 62)
        128.221.59.150.15186 > xxx.xxx.xxx.150.53: 38203+ A? www.jjhyouxi.com. (34)
    11:54:12.996875 IP (tos 0x20, ttl 237, id 29972, offset 0, flags [DF], proto UDP (17), length 62)
        92.231.20.118.52292 > xxx.xxx.xxx.150.53: 29972+ A? www.jjhyouxi.com. (34)
    11:54:12.998631 IP (tos 0x20, ttl 237, id 59465, offset 0, flags [DF], proto UDP (17), length 62)
        72.151.73.233.55575 > xxx.xxx.xxx.150.53: 59465+ A? www.jjhyouxi.com. (34)
    11:54:13.040792 IP (tos 0x0, ttl 237, id 47338, offset 0, flags [DF], proto UDP (17), length 62)
        109.158.234.185.50167 > xxx.xxx.xxx.150.53: 47338+ A? www.jjhyouxi.com. (34)
    11:54:13.074219 IP (tos 0x0, ttl 234, id 17288, offset 0, flags [DF], proto UDP (17), length 62)
        4.228.136.68.36876 > xxx.xxx.xxx.150.53: 17288+ A? www.jjhyouxi.com. (34)



  • It's a buggy worm, just ignore them…


  • Banned

    If it makes the firewall log useless, you might set up a special blocking rule somewhere at the top without logging.



  • 1.  Since these are UPD packets and no rule allows passage, they are not answered by pfsense.

    They are not processed and passed along to their final destination.  They are dropped.

    2.  I can only see them because they arrive on the interface.

    You can only see them because a) they arrived on the interface and, b) you have a default block rule that is set to log all blocks.

    3.  There is no way to block them.

    You can block them from entering your network, but you cannot block them from hitting your WAN interface unless you get help from your ISP who can block them from hitting your WAN.